A Few Considerations Around Data Breaches in Australia

On 22 February 2018, Australia’s mandatory breach notification system was instituted, requiring businesses suffering (many types of) data breaches to inform authorities and people affected by the data breach – at least, for any business with an annual turnover of $3 million AUD or more.

Since then, the Office of the Australian Information Commissioner (OAIC) has released 2 complete quarterly reports and 1 partial quarterly report. The partial report, covering January 1 2018 to March 31 2018 showed 63 reported breaches in the quarter; the number might seem surprisingly low, but when you consider businesses didn’t have to start reporting breaches until February 22, 2018, that effectively means there were 1.7 breaches reported a day during the mandatory reporting period. For April 1 2018 through to June 30 2018, there were 242 notifications, and for the most recently reported period, July 1 2018 through to September 30, 2018, there were 245 breach notifications.

Data Breaches
Data Breaches

While there’s no reporting requirement for businesses with an annual turnover of $3M AUD or less, we also should keep in mind when thinking of these numbers that it’s not uncommon to find a lackadaisical approach to aspects of reporting in Australia, and the simple fact that wage and superannuation theft is so high1 would perhaps indicate some companies at least will ignore this requirement (or claim ignorance thereof) until strong penalties become the norm.

That being said, 245 reported breaches in the most recent 92 days reporting period (2.66 per day) is hardly insubstantial, and given the parallel to the previous reporting period (2.65 per day) perhaps suggests that it’s not a matter of if your data may be exposed in a breach, but when.

According to the most recent report, 37% of breaches were caused by human error, 57% by malicious/criminal activity, and 6% by ‘system faults’. What should perhaps be concerning for consumers is the types of businesses that reported data breaches. In Q3 2018, that was:

  • Health service providers: 45 breaches reported
  • Financial services: 35
  • Legal/accounting/management: 34
  • Education: 16
  • Personal services: 13

In Q2 2018 (242 reported breaches) the top 5 affected industries were:

  • Health service providers: 49 breaches reported
  • Finance: 36
  • Legal/accounting/management: 20
  • Education: 19
  • Business & Professional Associations: 15

So in both cases, it’s fair to say that businesses that hold the potentially most sensitive information about Australian citizens – health and finance – also saw the most breaches. Yet the above statistics are not necessarily entirely representative; while health services and the finance industry are required to report breaches regardless of annual turnover, health industry notifications that are made under the My Health Records Act of 2012 aren’t subject to the mandatory breach notification act. In other words, the waters are muddied.

There’s some potential reasons to consider as to why this is the case, including:

  • A greater likelihood of those industries actually reporting breaches2
  • These industries represent greater potential for mischief and a more appealing attack perspective.

(There can be other reasons of course, too. Australian Education departments tend to to have more challenging budgetary constraints than say, financial services, and it’s often the perception that legal/accounting companies are better at advising people what to do than they are at doing it themselves from an IT perspective.)

An interesting aspect of the breach reporting is the differentiation between system faults and human error. It may be that the percentage of system faults reported are relatively low (6% in Q3 2018 report vs 37% human error), yet when we drill into what constitutes a system fault, it’s clear it’s some form of human error, viz.:

  • Unintended access
  • Unintended release or publication

In this, we might say that a system fault is more of a secondary human error – i.e., a release made possible by an indirect human error, as opposed to a direct human error.

What’s the difference? Some would argue none. My point though is that a direct human error is where Barry in Finance accidentally emails a customer list to an unauthorised external contact, whereas an indirect human error might be where Sue developed an authentication system with a bug which 3 years later granted access to someone who shouldn’t have had access.

In either case, to call it a ‘system fault’ is likely to be sidestepping what the cause of the issue was.

So what are the options for human error? It’s a sad list of processes not being followed, including:

  • Failure to use BCC when sending email
  • Insecure disposal
  • Loss of paperwork/data storage device
  • Personal Information sent to wrong recipient (broken up into: email, fax, mail, other)
  • Failure to redact
  • Unintended release/publication of information
  • Unauthorised verbal disclosure.

(It’s gratifying to note that Failure to use BCC when sending email is potentially a cause for a data breach notification. Anyone who has ever received an email from a company doing marketing where the entire recipient list is in the To: field may find that comforting.)

By comparison, malicious/criminal breaches are reported based on:

  • Cyber incident
  • Rogue employee/insider threat
  • Social engineering/impersonation
  • Stolen paperwork/data storage devices

Cyber incidents are subsequently broken down into:

  • Brute force attacks
  • Hacking
  • Ransomware
  • Malware
  • Compromised/stolen credentials
  • Phishing

One suspects there’s some overlap there based on how businesses interpret what has gone on within their environments.

By now you’re perhaps wondering: what does this have to do with data protection?

Well, everything, if we consider data protection to be a broader umbrella than just data storage protection (viz: backup and recovery, snapshots, replication, etc). After all, if you say “data protection” to someone who works in IT without any context, they might think security, or backup, or even privacy, depending on what their personal context is. And as more jurisdictions formalise privacy legislation, data protection as a privacy function is something which is going to get increasing attention.

In this case though, we’re talking data protection as something that encompasses all three fields: in situations where data is exfiltrated and destroyed, or simply destroyed, the sorts of data protection normally covered on this blog (backup and recovery) will come into play to get that data back. Undeniably too, data breaches represent security incidents for most businesses as well – they may be a process security risk or a systems security compromise, but the net result of the wrong person or persons getting access to data is the same.

Our traditional forms of data protection – backup/recovery, etc., has a further part to play in breach reporting, too. While we’re likely to see increasing numbers of businesses use log aggregation/data mining facilities, others will resort to manual processes here, such as recovering log files from an incident in order to better understand what happened. We also have to keep in mind that criminal elements are getting smarter, too, and are starting to target backup environments. In some cases, this has been to destroy backup content before moving on to production systems (hence the need for cyber recovery systems), but an inappropriately secured backup environment potentially gives cyber-criminals that have infiltrated an environment (or rogue employees) easy access to systems data.

It’s important therefore, even if you think you’re just the backup administrator, to start thinking at a bigger level: how does your work in data protection fit into the broader requirements your business has when it comes to data protection as an umbrella term encompassing security and privacy? If you think it doesn’t, you’re leaving yourself unprepared to defend against data breaches.

Footnotes

  1. Wage Theft Endemic Across Australia, Anna Patty, 20 November 2017, Sydney Morning Herald
  2. Though anyone who has paid attention to the Australian Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry might think otherwise.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.